Many computer network systems process access control lists (ACLs) at line rate without making queries, as packets would otherwise be delayed or dropped. One form of an access control entry (ACE) in an ACL is a hostname, e.g., “www.cisco.com”. Operating systems of packet processing devices, however, often translate hostnames into IP addresses at configuration or boot time (e.g., 95.100.176.170), rather than using the hostname. Such a method does not adhere to domain name server (DNS) caching semantics, and may lead to the wrong address being either denied access or (worse) granted access to a resource. This is particularly necessary in a world of cloud resources where host→ip address bindings may change as services migrate or change their load balancing schemes based on conditions (e.g., www.google.com may have thousands of addresses). In fact, a query for the same name from two hosts on the same network may return different IP addresses, such that a first of the IP addresses learned may be stored in the ACL, but other valid IP addresses may not be, and thus devices learning those other IP addresses may be denied access inappropriately. Worse still, it is possible that neither address might be learned.